Join over 2 million IT and cyber professionals advancing their careers

Video Transcription

00:05

it carefully crafted and maintained incident response plan outlines plans of action in response to an adverse event.

00:12

Part of that plan is ensuring that when security incidents occur, the proper tools and resource is necessary for investigations are prepared and readily available, starting with the dedicated forensic work station, configured with tools and applications to conduct forensically sound. Elektronik investigations.

00:29

Forensic work stations are standalone systems dedicated to investigation activities.

00:34

The work station should not be used as a day to day operation system. It needs to be isolated to prevent contaminating other systems or having the evidence compromised, but still have network connectivity and support for removable storage devices.

00:47

These workstations have tools that handle multiple core drive duplication functions, meaning the ability to support hardware in network based duplication and analyze various file systems like NT F s Fat 16 and 32 Solaris, BSD, Lennox, Macintosh and swap.

01:04

The tools should validate the integrity of both images and files and identify when they were created, accessed, modified in or delete it.

01:12

Dr. Analysis tools performing allocated disk space analysis and isolation are useful investigating incidents with large amounts of data or files that have been hidden or deleted during an investigation. All information relating to a specific case is linked together and available to any investigator working on that case.

01:30

This means system discs, notes and any form of additional evidence related to that event.

01:36

A right blocker is a device or application that permits acquisition of information on a drive without altering the drive or the information

01:44

for interoperability. It's a good practice to have a collection of different cable types, such as USB, USB, C and Seita,

01:52

various adapters like Stated to US Be and Micro Seda and removable storage media, such as flash drives, memory cards and DVD R's available to connect devices or transfer evidence as needed.

02:04

Physical items like crime tape cameras and tamper proof seals are needed if marking off a crime scene and capturing, collecting and cataloging evidence.

02:13

Every step of the investigation process must be comprehensively documented.

02:17

This includes the scene itself, equipment data and the people involved

02:22

to maintain consistency. Investigators follow the same process each time a new cases examined

02:28

evidence forms and documentation are designed to help achieve this with an incident response plan. Being an important part of this documentation,

When an incident is detected, an expedient response should occur, asking questions and reviewing artifacts to devise the response plan of action.

02:53

Next report. The incident to the designated contacts, including local authorities if warranted,

02:59

followed by recover

03:00

recovery will depend on the type of incident, the impact and if preparations were previously established, maybe through vulnerability management process. For example,

03:09

remediation is next and includes activities to repair any additional issues and apply mitigation measures.

03:15

The review step raps of the process with documenting and analyzing the incident, highlighting lessons learned.

03:22

There are a number of forms or formalized processes that are part of an incident response.

03:27

A chain of custody documents all users who accessed artifacts from a case, a log of win, who and how that could be traced back when needed.

03:35

An incident form records comprehensive details about an incident. Names of those involved location, timestamp, et cetera.

03:42

An escalation list is an important document for the forensics kit. It contains contact information for analysts, the type of issues they should be contacted about and when it's appropriate to do so

03:53

when investigating incidents. Established processes are followed to ensure consistency and reliability and handling procedures.

04:00

Having a forensics kit prepared, including a workstation with configured analyst tools and documentation for guiding and recording the response process, is an important component to sound investigation practices.